On 2/9/07, Jochen Fabricius <[EMAIL PROTECTED]> wrote:
> my current pf.conf:
> ext_if="pppoe0"
> int_if="dc0"
> localnet=$int_if:network
>
> nat on $ext_if from $localnet to any -> ($ext_if)
> block all
> pass from { lo0, $localnet } to any keep state
>
I think there must be another line:
pass out on $ext_if all
Because "nat" processes packets _before_ the filter rules, thus the
outgoing packets on $ext_if have the address of $ext_if. They will be
blocked, because your only "pass" rule is for packets with an internal
source address.
Using the two improved lines from Stuart, I managed to get it working.
The pf.conf I had, however, was taken directly from a guide, and with
some tweaking, it now works very well. At least for the time being.
my current pf.conf:
ext_if = "pppoe0"
int_if = "dc0"
localnet = $int_if:network
scrub out on $ext_if max-mss 1440
nat on $ext_if from $localnet -> ($ext_if)
block in on $ext_if
pass quick on lo0
pass quick on $int_if
pass quick on $ext_if from $localnet to any flags S/SA keep state
pass quick on $ext_if proto {tcp,udp} from any to any port domain
flags S/SA kee
p state
pass in inet proto icmp all keep state
Thanks again for the help. It will be great to have a real machine
doing the routing again, instead of a SMC wireless access point. :)
